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Abstract. We present an approach to parameterized reachability for 
communicating finite-state threads that formulates the analysis as a sat¬ 
isfiability problem. In addition to the unbounded number of threads, the 
main challenge for SAT/SMT-based reachability methods is the existence 
of unbounded loops in the program executed by a thread. We show in 
this paper how simple loops can be accelerated without approximation 
into Presburger arithmetic constraints. The constraints are obtained via 
symbolic execution and are satisfiable exactly if the given program state 
is reachable. We summarize loops nested inside other loops using recur¬ 
rence relations derived from the inner loop’s acceleration. This summary 
abstracts the loop iteration parameter and may thus overapproximate. 
An advantage of our symbolic approach is that the process of building 
the Presburger formulas may instantly reveal their unsatisfiability, before 
any arithmetic has been performed. We demonstrate the power of this 
technique for proving and refuting safety properties of unbounded-thread 
programs and other infinite-state transition systems. 


1 Introduction 

Unbounded-thread program verification continues to attract the attention it de¬ 
serves: it targets programs designed to run on multi-user platforms and web 
servers, where concurrent software threads respond to service requests of a num¬ 
ber of clients that can usually neither be predicted nor meaningfully bounded 
from above a priori. To account for these circumstances, such programs are de¬ 
signed for an unspecified and unbounded number of parallel threads that is a 
system parameter. 

We target in this paper unbounded-thread shared-memory programs where 
each thread executes a non-recursive, finite-data procedure. This model is pop¬ 
ular, as it connects to multi-threaded C programs via predicate abstraction, a 
technique that has enjoyed progress for concurrent programs in recent years [§]. 
The model is also popular since basic program state reachability questions are 
decidable, although of high complexity: the equivalent coverability problem for 
Petri nets was shown to be EXPSPACE complete [5]. The motivation for our 
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work is therefore not to solve this problem per se, but to do so with practicable 
efficiency. 

Building on impressive recent advances in SMT technology, the approach 
we take in this paper is to reduce the analysis to a logical decision problem. 
Such reductions are common in the context of bounded model checking, where 
finite-length execution paths are translated into logical constraints whose satis¬ 
fiability indicates the reachability of some (error) condition along the path. In 
our context, we intend to strengthen this principle along two lines: 

(A) we are dealing with multi-threaded programs; the different thread interleav¬ 
ings give rise to too many execution paths for them to be enumerated; and 

(B) we aim at finding bugs and soundly proving safety; we can thus not simply 
bound the path length by a constant. 

In this paper we tackle challenge (A) by considering an abstraction of the 
given program whose single-threaded execution overapproximates the execution 
of the original program by any number of threads. The abstraction is surprisingly 
simple: it allows the single thread to change its local state in certain disciplined 
ways, thereby slipping into the role of a potential parallel thread. We can now 
analyze this sequential program, without regard for interleavings. 

The question whether an abstract error path can be concretized is decided 
via a satisfiability problem, by symbolically executing a known coverability algo¬ 
rithm [5] along potential multi-threaded error paths. Here we face challenge (B): 
the given program may feature loops, an issue that is in fact exacerbated by the 
additional behavior in the abstraction. To permit unbounded symbolic execution 
along paths with loops, we show how simple loops can be accelerated, without 
loss of information, into a formula that specifies how the number of threads per 
local state changes during one loop iteration. These changes can be expressed in 
Presburger arithmetic, the decidable theory over linear integer operations. 

Complicated loop nests are not amenable to exact acceleration. We summa¬ 
rize such nests by abstracting the iteration count for inner loops and approx¬ 
imating outer loops by solving a recurrence relation. This process introduces 
imprecision and the potential for spurious reachability results. To detect this 
possibility, we need to recover the iteration counts for inner loops. Our algorithm 
does this in a refinement cycle whose complexity is linear in the nesting height 
of the loop arrangement. The result is a sound symbolic coverability method 
that is often also able to produce paths witnessing error state reachability. In 
the absence of nested loops, the algorithm is sound and complete. 

Our algorithm can be viewed as separating the branching required in exhaus¬ 
tive infinite-state searches such as Abdulla’s algorithm [2j, and the arithmetic 
required to keep track of the number of threads per local state. Our abstract 
structure is loop-free and can thus be explored path by path. Each path is sym¬ 
bolically executed into a Presburger formula. The question whether the target 
state is reachable along this path can then often be answered very quickly. If 
the path does not connect the initial and target states, it is not even considered 
for symbolic execution. Contrast this with pure search techniques, which might 
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explore the search space into a particular direction, only to find that all paths 
in this direction dead-end. 

Recent work on solving coverability questions via marking equations [7] is, to 
our knowledge, one of the first practical attempts to tackle infinite-state reach¬ 
ability via SMT technology. While very efficient, this method can reliably rec¬ 
ognize only unreachable instances and indeed produces many spurious answers. 
In this paper we show how control flow information present in multi-threaded 
programs can be exploited to obtain distinctly more precise symbolic encodings 
of the reachability problem, while retaining much of its efficiency. 

This submission comes with an appendix containing proofs to claims made 
in this paper, and other material. 


2 Thread-Transition Diagrams and Backward Search 

We assume multi-threaded programs are given in the form of an abstract state 
machine called thread transition diagram (l 6 j . Such a diagram reflects the repli¬ 
cated nature of programs we consider: programs consisting of threads executing 
a given procedure defined over shared (“global”) and (procedure-)local variables. 
A thread transition diagram (TTD) is a tuple V = (S, L , R), where 

— S' is a finite set of shared states; 

— L is a finite set of local states; 

— R C (S x L) x (S x L) is a (finite) set of edges. 

An element of V = S x L is called thread state. We write (si,h) -A {s 2 ,h) for 
((si, l\), (s 2 , h)) £ R- We assume the TTD has a unique initial thread state, 
denoted tj = (sj, Zj). App. [A| explains how this can be enforced under some very 
light-weight condition. An example of a TTD is shown in Fig. |l(a)] 

A TTD gives rise to a family, parameterized by n, of transition systems 
V n = (V n , R n ) over the state space V n = S x L n , whose states we write in the 
form (s\li ,..., l n ). This notation represents a global system state with shared 
component s, and n threads in local states U, for i £ {1,..., n}. The transitions 
of V n , forming the set R n , are written in the form (s|Zi,..., l n ) >—>■ (s'|Z^,..., l' n ). 
This transition is defined exactly if there exists i £ {1,..., n} such that (s, If) —> 
{s', If) and for all j 7 ^ i, lj = If That is, our executing model is asynchronous: 
each transition affects the local state of at most one thread. The initial state set 
of V n is {s/} x {li} n . A path of V n is a finite sequence of states in V n whose 
first element is initial, and whose adjacent elements are related by R n . A thread 
state {s,l) £ S x L is reachable in V n if there exists a path in V n ending in a 
state with shared state component s and some thread in local state l. 

A TTD also gives rise to an infinite-state transition system Voo = (V^, Roo), 
whose set of states/transitions/initial states/paths is the union of the sets of 
states/transitions/initial states/paths of V n , for all n £ IN. We are tackling in this 
paper the thread state reachability question: given a TTD V and a final thread 
state ( SfAf ), is {sfAf) reachable in Voo ? It is easy to show that this question 
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(a) (b) (c) 

Fig. 1. (a) A thread transition diagram V (initial state ti = (0,0)); (b) part of the 
Expanded TTD V + with a path cr + ; (c) part of the SCC quotient graph V of V + , with 
quotient path a. The black disc represents the loop in a + (the other SCCs are trivial) 


is decidable, by encoding "Poo as a well quasi-ordered system (WQOS) 2\: let the 
covers relation A over be defined as follows: 


(s\h,...,l n )h (s'\l' 1 ,...,l' nl ) 

whenever s = s' and [li,...,l n ] D [l^,... ,l' n ,], where [•] denotes a multiset. 
Relation ^ is a well quasi-order on Voo, and ('P 00 ,^:) satisfies the definition 
of a WQOS, in particular the monotonicity property required of (y and >—>. 
The thread state reachability question can now be cast as a coverability prob¬ 
lem, which is decidable but of high complexity, e.g. EXPSPACE-complete for 
standard Petri nets [5], which are equivalent in expressiveness to infinite-state 
transition systems obtained from TTD mi- 


A sound and complete algorithm to decide 
coverability for WQOS is the backward search 
algorithm by Abdulla et al. |3I2| . a simple ver¬ 
sion of which is shown on the right. Input is a 
set of initial states I C V^, and a non-initial 
final state q. The algorithm maintains a work 
set W C Voo of unprocessed states, and a set 
U C Voo of minimal encountered states. It suc¬ 
cessively computes minimal cover predecessors 

CovPre(u>) = min{p : 3w' >z w : p >—> w'} (1) 

starting from q, and terminates either by 
backward-reaching an initial state (thus prov¬ 
ing coverability of q ), or when no unprocessed 
vertex remains (thus proving uncoverability). 


Algorithm 1 Bws(I, q) 

Input: initial states I, 


final state q I 

1 

W :=M; U:={q} 

2 

while 3w £ W 

3 

W := IT\M 

4 

for p £ CovPre(w) \ t U 

5 

if p £ I then 

6 

“g coverable” 

7 

W := min(W U {p}) 

8 

U := min([7 U {p}) 

9 

“g not coverable” 


Alg. [TJ infinite-state backward 
search. Symbol t U stands for 
the upward closure of U: 
t U~{u‘ : 3m 6 U: u‘ h u}. 
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3 Reachability as a Decision Problem: Overview 

Our approach to encoding reachability in "Poo as a decision problem operates 
over an abstraction of the given TTD, with the property that any thread state 
reachable in Voo for any number of threads is also reachable in the abstract 
structure executed by a single thread. The search for paths to the final thread 
state can therefore focus on abstract single-thread paths. The imprecision intro¬ 
duced by this abstraction is eliminated later when each path is translated into 
a Presburger formula, as we will see. In this section we first define this abstract 
structure, and then present the intuition of our algorithm. 


3.1 A Single-Threaded Abstraction of Poo 

A key operation employed during Alg. [l] is what we call expansion (of a state): 
the addition of a thread in a suitable local state during the computation of cover 
predecessors ([!]). We can simulate the effect of such expansions without adding 
threads , by allowing a thread to repeatedly change its local state in certain 
disciplined ways. To this end, we expand the TTD data structure as follows. 

Def. 1 Given a TTD V = (S, L , R), an expansion edge is an edge ((s, l),(s, l')) 
(same shared state) such that l ^ V. The Expanded TTD (ETTD) of V is 
the structure V + = ( S,L,R + ) with R + = R U {e : e expansion edge}. 

To distinguish the edge types in V + , we speak of real edges (e R) and expansion 
edges. Intuitively, expansion edges close the gap between two real edges whose 
target and source, respectively, differ only in the local state. This can be seen in 
Fig. |l(b)| which shows part of the ETTD generated from the TTD in Fig. 

In the graphical representation, expansion edges run horizontally and are shown 
as dashed arrows (s,l) —(s, l'). 

As we will see, our reachability algorithm processes certain paths from ti to 
tp , of which V + may still have infinitely many, due to the possibility of loops. 
To facilitate this process, we collapse the ETTD into a quotient structure, by 
replacing loops with single nodes that represent the unique strongly connected 
component a loop is part of. Let therefore V be the (acyc lic) SCC quotient of 
the expanded graph V + ] an example is shown in Fig. |l(c) 

Being loop-free, the quotient graph V contains only finitely many paths be¬ 
tween any two nodes. It also has another key property that makes it attractive 
for our algorithm: let us interpret V + and V as sequential transition systems. 
That is, when we speak of reachability and paths in V + iV), we mean “when V + 
(P) is executed by a single thread from f/”. In contrast, in Voo these concepts are 
interpreted over an unbounded number of threads executing V from f/. Given 
these stipulations: V overapproximates Voo, hr the sense that, if thread state tF 
is reachable in Voo , then tp is also reachable in V. This property is (proved as) 
part of our main correctness Thm.|4] later in this paper. 


1 (a) 
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3.2 Backward Search via Symbolic Execution 


Given the reachability semantics defined in Sect. 3.1 each multi-thread path in 
Voo corresponds to a single-thread path in the quotient structure V. Our algo¬ 
rithm therefore first identifies paths in V from tj to tp] if none, tp is unreachable 
in Voo- If such paths do exist, we cannot conclude reachability in Voo'. for exam¬ 
ple, thread state tp := (6,4) in Fig. [l] is easily seen to be unreachable in Voo , 
no matter how many threads execute the diagram V in (a), but is obviously 
(sequentially) reachable in V (c). 

We therefore need to decide, for each path in V from ti to tp, whether it 
conversely corresponds to a valid multi-thread path in Voo- To this end, consider 
the operation of the backward search Alg. [l] Given a global state of the form 
(s'\l[,... ,l' n ), it computes cover predecessors (Eq. 0 ). by first firing edges of 
R backwards whose targets equal one of the thread states (s',Z'). Second, for 
each edge e whose target (s', l') (with shared state s') does not match any of the 
thread states {s'Ji), Alg. [I] expands the global state, by adding one thread in 
local state l 1 , followed by firing e backwards, using the added thread^ 

The steps performed by Alg. [T] can be expressed in terms of updates to 
local-state counters. For an edge e of the form (s,l) —>• {s', l'), if the current 
global state {s'\l [,... ,l' n ) contains a thread in local state l', firing e backwards 
amounts to decrementing the counter np for l', and incrementing the counter 
ni for l. If the current global state does not contain a thread in local state l', 
firing e backwards amounts to temporarily incrementing np (= setting it to 1 ), 
followed by decrementing it (= back to 0), followed by incrementing rq. 

We can execute these steps symbolically, instead of concretely, by traversing 
a given path a in V from tF backward to tj, assuming for now we visit only 
trivial SCCs. Each real edge in a simulates the standard backward firing of an 
edge. Each expansion edge in a simulates the temporary addition of a thread 
in a local state. We perform these simulations by encoding the corresponding 
counter updates described in the previous paragraph as logical constraints over 
the local-state counters. The assertion that tp is reachable in Voo then translates 
to the condition that, given these constraints, the values for all counters at the 
end of the simulation, i.e. when backward-reaching tp along a, are zero, with 
the exception of rip : this condition ensures that the global state constructed via 
symbolic backward execution is of the form {s/} x {li} n , i.e. initial. 

The constraints are expressible in Presburger (linear integer) arithmetic. To 
demonstrate this, we introduce some light notation. For x, y £ Z and b £ IN, 
let x ©6 y = maxja; + y,b}. Intuitively, x ©f, y is “x + y but at least 6 ”. When 
b = 0, we omit the subscript. We also use x ©{, y as a shorthand for x ©& (— y) 
(= max{i — y,b}). For example, x © 1 equals x — 1 if x > 1, and 0 otherwise. 
Neither ©& nor ©j, are associative: (1 © 2) © -3 = 0 ^ 1 = 1 © (2 © —3). We 
therefore stipulate: these operators (i) associate from left to right, and (ii) have 
the same binding power as + and — . 


1 We exploit here the fact that the cover pre-image |l]) in systems induced by TTDs 
increases the number of threads in a state by at most 1 (proved in Ell , Lemma 1]). 
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Operators ©/© are syntactic sugar for standard Presburger terms: we can 
rewrite a formula T containing x ©6 y, using a fresh variable v per occurrence: 

r = ( r \(x<$ b y)^v) A ((x + y > b A x = x + y) V (x + y < b A x = b)) (2) 

where a|/ 3->. 7 denotes substitution of 7 for /? in a. 

The summary of a path if in V for local state l that visits only trivial SCCs 
is computed in Alg. [2] by symbolically executing <x. The path is traversed back¬ 
wards; for certain edges a “contribution” to counter ni is recorded, namely for 
each edge of R + that is adjacent to local state l, but only if it is real, or it is 
an expansion edge that starts in local state l. Note that the three if clauses in 
Alg- [ 2 ] are not disjoint: the first two both apply when edge d is “vertical”: it 
both enters and exits local state l. In this case the two contributions cancel out. 


Algorithm 2 Exact path summary via 

symbolic execution 

Input: path a = fi,... ,tk in V, i.e. (ti, ti+i) G R + for 1 < i < k ; local state l 

1 

ei '.= (ti,t i+ 1 ) for 1 < i < k , ( Si,U) 

:= ti for 1 <i < k 

2 

summary := "ni" 

> summary is a string 

3 

for i : = k — 1 downto 1 


4 

if et € R and h — l then 


5 

summary := summary."+1" 

> . = string concatenation 

6 

if ei £ R and li+i = l then 


7 

summary := summary."-1" 


8 

if ei £ R + \ R and U = l then 


9 

summary := summary. "01+1" 


10 

return summary 




Summary functions for local states l = 0,1, 2: 

T'o(uo) — no 01 + 1 — 1 + 1 — no 0 1 + 1 
Si(ni) = m + 1 
-572 (ri2) = ri2 — 1 

Examples: 

£o(0) = 1, E'o(l) = 1, X’i(O) = 1, 172(1) = 0 . 


Fig. 2. A quotient structure V with a vertical edge 


The summary of path a for local state l defines a function Si : IN —► IN that 
summarizes the effect of path tf on counter m. The summary functions for the 
short path in Fig. [2] are shown next to the figure. These examples illustrate how 
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we can encode a quotient path that visits only trivial SCCs into a quantifier-free 
Presburger formula. The formula for S 0 (no) implies that if we traverse the path 
backwards from a state with no = 0 threads in local state 0 , at the end there 
will be I7o(0) = 0 © 1 + 1 = 1 thread in local state 0. If we start with no = 1, 
we also end up with no = 1. Note that the path cannot be traversed backwards 
starting with n 2 = 0 , since its endpoint is thread state (2, 2). 

What remains to be resolved is the handling of non-trivial SCCs along a. 
Such SCCs are contractions of loops in the expanded structure V + , to the effect 
that paths in V + are no longer finite; their summaries cannot be obtained by 
symbolic execution. Loops are of course the classical “nuisance” when expressing 
reachability as a satisfiability problem. We address it in the rest of this paper. 

4 Exact Acceleration of Simple Loops 

In this section we generalize path summaries to the case of a quotient path cf 
that visits SCCs formed by a single simple loop , i.e., a single cyclic path without 
repeated inner nodes. In contrast to unwinding approaches such as bounded 
model checking, we are aiming here at an exact solution. Namely, for each loop £, 
we seek a closed form for the value of local state counter ni after the backward 
search Alg. © traverses C some number of times k. 

In this section, since we need to “zoom in” to SCCs collapsed into single 
nodes in V , we instead look at paths in V + . Recall that for a straight-line path 
cr + = t\,... ,tk, the value of counter rq after Alg. [l] traverses cr + can be com¬ 
puted using <t + ’s path summary function Si , determined via symbolic execution 
(Alg.©. We now establish a lemma that renders the summary function suitable 
for acceleration, in case the path is cyclic. As in Alg. © we define (sj,Zj) := 
for 1 < * < k. Let 

Si = \{i : 1 < i < k : (t», t, + i) G R A U = Z}| - 

|{* : 1 < i < k : G R A l i+ \ = 1 }j 

be the real-edge summary Si G Z of <r + , i.e. the number of real edges along ct + 

that start in local state l, minus the number of real edges along a + that end 

in l. Value Si summarizes the total contribution by real edges to counter rq as 
path ct + is traversed backwards: real edges starting in l increment the counter, 
those ending in l decrement it. The following lemma uses the Si’s to compactly 
determine local state Z’s summary along er + : 

Lem. 2 (proof in App. [B]) Let bi = A/(l) if Ik = l (path a + ends in local 
state l), and bi = Si( 0) otherwise. Then Si{n{) = ni ©&, Si . 

The lemma suggests: in order to determine local state Z’s summary function in 
compact form, first compute the constant V;(l) (or Si( 0)) using Alg.© Si(m) 
is then the formula as specified in the lemma. The distinction whether path er + 
ends in state l is necessary intuitively because in this case the backward traversal 
must start from a state with at least one thread in l. 
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Consider now a loop er + = 1 1 ,... ,tk-i,h in V + . Let Si be cr + ’s summary 
function for local state l, and let Si and 6/ be defined as above in @ and Lem. [2} 
for the loop path a + . 

Thm. 3 (proof in App. [C]) Let superscript ^ denote k function applications. 
Then, for k > 1, 

S l W(n l ) = S l (m)® bl (k-1)-5i . (4) 

In Q, term Si(ni) marks the contribution to counter ni of the first loop traversal, 
while (k — 1) • Si marks the contribution of the remaining n — 1 traversals]^] 

Example. We show how the reachability of thread state (6,4) for the TTD 
shown in Fig. [l] is analyzed symbolically. For each local state l £ {0,...,4}, 
the following constraints are obtained by applying Lem. [2] Thm. [3j and Lem. [2] 
to the straight-line path from (6,4) backwards to (3,1), the loop from (3,1) to 
(3,1), and to the path from (3,1) to (0, 0), respectively: 


n o : 0 ©o 0 ©2 2 ©2 (k 1) * 2 ©3 3 ^ 1 

n 1 : 0 ©1 0 ©1 (—1) ©i {k — 1) • (—1) ©o ( — 3) = 0 

n 2 : 0 ©2 2 ©0 ( 1) ©0 [k 1) • (—1) ©0 0 = 0 

n 3 : 0 ©0 (-2) ©0 0 ©0 (fc - 1) • 0 ©0 0 = 0 

n 4 : 1 ©1 0 ©0 0 ©0 (k - 1) • 0 ©0 0 = 0 


The equation for 714 simplifies to 1 = 0 and thus immediately yields unsatisfia¬ 
bility and thus unreachability of the target thread state (6,4). In contrast, for 
target thread state ( 6 , 3), the equations for n 3 and 774 both reduce to true. The 
conjunction of all five equations reduces to 1 ©o (k — 1) • (—1) = 0. This formula 
is satisfied by n = 2 , claiming reachability of ( 6 ,3) via a path containing two 
full iterations of the loop from (3,1) to (3,1). Since our method is exact for the 
case of simple loops, this path is guaranteed to be genuine. 

5 Summarizing Loop Nests using Recurrence Relations 

Suppose an SCC along a quotient path a contains several simple loops, i.e. a 
“loop nest”, such as in the ETTD shown in Fig. [ 3 ] (left). Loops £1 and £2 permit 
many structurally different paths, for instance those of the form (£i*£ 2 )*. The 
part £ 1*£2 does not correspond to a fixed straight-line path; Thm. 0 can thus 
not be applied to accelerate the outer loop. 

Our approach to handling complex loops, inspired in part by [81, is to overap¬ 
proximate their behavior in the form of a transition invariant. We first capture 
the set of paths a + in V + from ti to ip represented by quotient path a as a 
regular expression £ (see Fig. [ 3 ] top right). We use a standard algorithm [4] to 
unravel the loop structure inside non-trivial SCCs. The resulting expression £ 
can be written using only concatenation and Kleene star *: since <7 is an SCC 


2 By Lem. [ 2 ] the right-hand side in |4j) equals ni © 6i Si (B bl {k— 1) • 81 , which turns out 
to be not quite equal to m © 5 , k • Si, due to the lack of associativity of ©. 
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<73 = e 6 e 7 04 = (eg(e 4 e 5 e 2 e 3 )*e 6 e 7 )® 


Fig. 3. An ETTD with a loop nest (left); its regular expression decomposition (right) 


quotient path, the choice operator | occurs in the translation at most inside loops 
and can thus be eliminated using the identity (5 | T)* = ( S*T *)* (see App.pL 

We next identify straight-line and loop segments in £, as shown in Fig. [3j 
bottom right. Each straight-line segment is summarized exactly in a Presburger 
formula via Lem. [2j Loops C are processed recursively as follows. If C = r* is 
innermost (i.e. r is straight-line), it is accelerated exactly using Thm.[3j resulting 
in a Presburger formula of the form A)^(rq), for local state l and loop iterator re. 
If C is not innermost, we first recursively translate expression r into a transition 
invariant p over ni and n[ and then solve the recurrence relation p^ (re-fold 
application). This step is described in more detailed below. 

Orthogonally to “innermost”, we differentiate whether C is outermost , or 
itself nested in another loop above it. In the latter case, we need to summarize 
the behavior of C independently of the number re of iterations. This is achieved 
by existentially abstracting re from the summary formula, followed by standard 
Presburger quantifier elimination. Finally, C may be outermost; such loops are 
marked in £ by the iterator symbol ©, e.g. C = r®. For such loops, parameter re 
is retained: it becomes a free variable in the final Presburger formula; a satisfying 
assignment, if any, specifies the number of iterations of this outermost loop. 

This procedure is formalized in Alg. [3] Input is the regular expression £ ob¬ 
tained from path a, split into straight-line and loop segments ay,..., cr p , and 
a local state l. The algorithm walks through £ backwards (Line [ 2 ]), processing 
straight-line segments (Line[4]) and four types of loops depending on what combi¬ 
nation of “outermost (o-ra)” and “innermost ( i-m) v they fall in. The transition 
invariants p for the individual segments are composed via relational product, 
denoted 0. Output is a Presburger formula p that summarizes the effect of any 
path er + represented by <7, as a transition invariant over local state V s counter 
variable m, its post-path value n[, and the iterators re^ for the outermost loops. 

Acceleration via recurrence solving. If expression r in eq = r* or cr,; = r® contains 
loops on its own, we summarize 0 , by closing the transition relation invariant 
obtained for r under re-fold recurrence. Solving such recurrences turns out to be 
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Algorithm 3 Path-Summary(£, Z) 

Input: regular expression £ = 04 ... a p with q outermost loops; local state l 

Output: p(ni, n' l , k\, ..., K q ): a Presburger summary for £ and local state l 

1 

tp := true 


2 

for each i = p downto 1 

> symbolically execute a backwards 

3 

if Ui is straight-line then 


4 

P ■— p © Ei(m) 

> Ei(ni): Lem.[ 2 ] 

5 

else if Ui has the form r* then 


6 

if r is star-free then 


7 

p := p © 3 k. ES K) {ni) 

> <Ji not o-m but i-m. Ei^ K \m): Thm. [ 3 ] 

8 

else 


9 

Pi := Path-Summary(t*, l) 

> (Ji not o-m, not i-m 

10 

Pi{n) := Solve-Recurrence)^ 


11 

p := p © 3 k. pi(E) 


12 

else if <t; has the form r® then 


13 

if r is star-free then 


14 

p \= p O (n t ) 

> ai o-m and i-m. Ei^ K \ni): Thm. [ 3 ] 

15 

else 


16 

Pi := Path-Summary(V, l) 

> 04 o-m but not i-m 

17 

P '■= p © Solve-Recurrence( y\ 


18 

return l = h? p>l:p = 0 



manageable, as all involved formulas are in linear integer arithmetic extended by 
the © operator. We rewrite the © according to Eq. ([2]) and convert the resulting 
formula into disjunctive normal form. We search each disjunct separately for a 
solution. For each disjunct we push the recurrence operator ^ inside and apply 
it only to individual conjuncts; App. |E| justifies. 

Each conjunct is of the elementary form n! to c, n x c, or n! x n + c, where 
[xi e {<,=,>} and ctZ. We solve the K-fold recurrence of (i.e., “accelerate”) 
these elementary relations as follows. Relations n' x c and n x c are invariant 
under K-fold acceleration. Relation n! x n + c is accelerated according to the 
table on the right. Here, n is 
the variable value at path en¬ 
try, n the value after K-fold 
acceleration, and n! the value 
after abstracting the number k 
of loop iterations. 

Example. We revisit Fig. [3] Given the regular expression £ shown in the figure, 
Alg. i constructs the following constraints for the four local states («i is the 
loop iterator for er 2 , «2 is that for the outer loop of segment 174 ): 

l = 0 : n' 0 > 1 A rig = k 2 + «i + 2 1 = 1: n! x = 0 

l = 2 : n 2 = 0 Z = 3 : 0 < 77,3 <1 — «2 V n' 3 = 0 

The conjunction of these four constraints is satisfiable; a solution is k± = 1 and 

K 2 = 0. We cannot, however, conclude that tp is reachable in Voo’. the solution 


tx] 

Ac-fold accelerati¬ 
on of n' tx] n + c 

“3k ...” + quantif. elimin. 

c > 0 

0 

II 

0 

c < 0 

> 

rd'd > n + re ■ c 

n' > n + c 

n' > n 

true 

< 

< n + k, ■ c 

true 

n' < n 

n! < n + c 

= 

n («) = n + k ■ c 

n' >n + c 

r! = n 

n' < n + c 
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may be spurious, as we have overapproximated the nested-loop behavior. We 
finally therefore design an algorithm that tries to settle this question. 

Path reachability. Given a quotient path a and a corresponding regular expres¬ 
sion £, Alg. [4] attempts to decide the reachability of final thread state tp in Too 
along a path represented by <7. If, for each local state l , the Presburger formula 
determined by Alg. [3] is unsatisfiable, tp is unreachable along a. Otherwise we 
have a satisfying assignment Ki to the iterators for the outermost loops in £ 
(those for nested loops have been abstracted away). We now unwind each outer¬ 
most loop Li in £ Ki times — we think of this as “peeling away” the outermost 
loop layer. As a result, the loop nesting height in £ decreases by one. We repeat 
the satisfiability question from above for each local state. 

This process has two possible outcomes: if any iteration of the while loop 
in Line [4] yields unsat (Line [6]), we return unknown along a: at this point for¬ 
mula Path-Summary(£, l) no longer overapproximates, due to the partially 
instantiated loop iterators. Otherwise, since the nesting height decreases in each 
iteration, £ will eventually be loop nest free. The iterator assignment {«i} is 
now complete and can be unwound into a linear a path, which is checked for 
genuineness (Lines [9|[l2|). 


Algorithm 4 Path-Reachability(£) 

Input: £: regular expression for quotient path <7 

Output: { unreachable \ reachable + witness path | unknown } along a 
1: if A i.L Path-Summary(£, l) is unsatisfiable then 
2 : return unreachable along o 

3: Ki,..., K q satisfying assignment l> q\ current ff of outermost loops 

4: while £ contains loop nests 
5: £ := Unwind(£, ki, ..., K q ) 

6: if A ie z, Path-Summary)^, l) is unsatisfiable then 

7: return unknown along a 

8: Ki,..., K q := satisfying assignment > q\ current ff of outermost loops 

9: if Unwind(£, ki, ..., n q ) represents a feasible execution path then 
10: return reachable + witness path 

11 : else 

12 : return unknown along a 


Example (continued). Alg. 0 confirms that the assignment K\ = 1,K2 = 0 found 
above for the scene in Fig. [3] corresponds to a genuine path, given by the edge 
sequence eqe\e 2 eze 4 e^e 2 e^eQe’j. This proves tp reachable. 

Thm. 4 (Soundness; proof in App. [F]) If, for each quotient path a from ti’s 
to tp’s SCC, Alg. 2] returns unreachable, then tF is unreachable in Voo- 

Termination of Alg. [4] is guaranteed since the loop nesting height decreases in 
each iteration of the while in Line |4j Moreover, as App. shows: if £ is loop 
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nest free, Alg. [4] never returns unknown. This is in particular the case when all 
loops in V + are simple; the algorithm is sound and complete for such systems. 


6 Empirical Evaluation 

Our technique is implemented in a reachability checker named URSULA (for “Un¬ 
bounded-thread Reachability via Symbolic execution and Loop Acceleration”). 


Benchmarks and Experimental Setup. We evaluate our technique on a 
collection of 60 examples, which is organized into two suites. The first suite 
contains 30 Petri nets (taken from [7]), 26 of which are safe. The second suite 
contains 30 Boolean programs generated from C programs (taken from [161 1 using 
SatAbs, 5 of which are safe. For each benchmark, we consider verification of a 
reachability property. In the case of C programs, the property is specified via an 
assertion. We excluded some benchmarks from sm because they have certain 
features (e.g. broadcast transitions) that URSULA currently does not support. 

To apply Ursula to C programs, we use SatAbs to transform those pro¬ 
grams to TTDs (option — build-tts) via intermediate Boolean programs 0. 
When SatAbs requires several CEGAR iterations over the C programs until the 
abstraction permits a decision, the same C source program gives rise to several 
Boolean programs and TTDs. We use Z3 (v4.3.2) as the Presburger solver [22] . 
All experiments are performed on a 2.3GHz Intel Xeon machine with 64 GB 
memory, running 64-bit Linux. Execution time is limited to 10000 seconds; mem¬ 
ory to 4 GB. All benchmarks and our tool are available online [TJ. 

Our evaluation is carried out in three steps: a comparison of URSULA against 
a recent constraint-based (“symbolic”) coverability checker [7], against a range 
of traditional state space exploration based coverability checkers, and against 
Mcov with and without a coverability oracle |16j . 


Comparison. Fig. [ 4 ] (left) plots the comparison against Petrinizei]^] 7j, a recent 
constraint based coverability checker for Petri nets. It employs the marking equa¬ 
tion technique, which essentially considers unordered collections of transitions, 
instead of firing sequences. 

The table on the right classifies 
how many instances Petrinizer 
and Ursula can solve in each 
benchmark category. We note 
that Petrinizer quickly dis- “ # 0 f proved instances/# of total instances 
charges most safe instances. 

URSULA is (much) more precise but, as Fig. [ 4 ] shows, takes slightly more time. 

Petrinizer offers four methods; we use the most powerful - refinement over integer 


suite 

safe PN 

unsafe PN 

safe BP 

unsafe BP 

Petrinizer 

22/21“ 

0/4 

5/5 

0/25 

Ursula 

24/26 

2/4 

5/5 

20/25 
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Fig. 4. Comparison: left: Ursula against Petrinizer (for Petrinizer, we mark “un¬ 
known” as timeout); center: Ursula against Mcov; right: Ursula+Km with 
Mcov+Km. Suffix “+Km” means tool uses Karp-Miller procedure as forward acceler¬ 
ator. Each dot represents execution time on one example. 


For 1 < k < 60, Fig. [5] plots the total time (log-scale) taken to solve the k 
easiest of our benchmark problems, for the following tools: 

Bws: Backward reachability analysis |2l3j (Alg. [Tj) 

Km: A Karp-Miller procedure [23 (vl.O) 

IIC: Incremental, inductive coverability algorithm |18| 

Mist-Ar: An abstraction refinement method presented in |TT] (vl.O.3) 

The results in the plot demonstrate that URSULA solves the most benchmarks 
(51). IIC is the most competitive among the other tools until the benchmarks are 
reached that it cannot solve. In general, we observe that other tools outperform 
URSULA on small benchmarks, an effect that can be explained by the overhead 
of path-wise analysis, regular expression conversion and Z3. For instance, the 
percentage of execution time spent on regular expression conversion is over 50% 
on average. How to effectively build regular expressions for TTDs or Petri nets 
is a question left for future research. 

The center part of Fig.[4]plots the comparison against Mcov, a very efficient 
explicit-state exploration method. URSULA remains competitive, despite its rel¬ 
atively prototypical character, and the comparatively long efforts that have gone 
into the design of Mcov. To investigate how our technique fares against other 
backward-directed techniques but equipped with forward accelerators (suggested 
first in [2]). we pair URSULA and MCOV with the Karp-Miller procedure. The 
right part of Fig. [4] plots the comparison of execution time. We note that Mcov 
with KM performs better - it solves more instances faster - than URSULA. The 
difference is explained by the tight and sophisticated integration of KM into 
MCOV, whereas Ursula is not able to benefit from forward reachability in¬ 
formation reported for non-query elements. A deeper integration of a forward 
accelerator into our algorithm is an extension left for future work. 

7 Related Work 

Groundbreaking results in infinite-state system analysis include the decidability 
of coverability in vector addition systems (VAS) (17l . and the work by German 
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# of benchmarks checked successfully 


Fig. 5. Comparison: cactus plot comparing Ursula with prior coverability tools. An 
entry of the form (k, t ) for some curve shows the time t it took to solve the k easiest — 
for the method associate with that curve — benchmarks (order varies across methods). 


and Sistla on modeling communicating finite-state threads as VAS M- Numer¬ 
ous results have since improved on the original procedure in m in practice 
jl 211 .1123124] . Others extend it to more general computational models, including 
well-structured [Kjj or well-quasiordered (wqo) transition systems |3|2j . 

The wqo-based approach, in basic form shown in Alg. [lj along with work 
on acceleration techniques for infinite-state systems urn was inspirational for 
this paper: part of our algorithm builds a Presburger formula while symbolically 
executing the backward search process in [2|. Our treatment of complicated 
nested loop structures was inspired in part by the work in [8] on computing 
numerical transition invariants via recurrence analyses. 

Recent theoretical work by Leroux employs Presburger arithmetic to solve 
the VAS global configuration reachability (not coverability) problem. In [15] , it 
is shown that a state is unreachable in the VAS iff there exists an “inductive “ 
Presburger formula that separates the initial and final states. The existence of 
such a formula is determined by enumeration; termination is guaranteed by run¬ 
ning a second semi-algorithm whose termination is guaranteed in the case of 
reachability. The theoretical complexity of this technique is mostly left open. 
Practicality is not discussed and doubted later by the author in [20j, where a 
more direct approach is presented that permits the computation of a Presburger 
definition of the reachability set of the VAS in some cases, e.g. for flatable VAS. 
Reachability can then be cast as a Presburger decision problem, as in our al¬ 
gorithm. The question under what exact conditions the VAS reachability set is 
Presburger-definable appears to be undecided. 

The results referenced above are mainly foundational in nature and target 
generally harder reachability questions than we do in this paper. Our contri¬ 
bution here is not to reproduce these theoretical results. Instead, it is to show 
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how to practically compute a Presburger encoding whose unsatisfiability implies 
safety, and that the resulting formulas are often very short and easy to decide, 
thus giving rise to an efficient algorithm. 

In recent work, classical techniques based on Petri net marking equations are 
revisited and used to reduce the coverability problem to linear constraint solv¬ 
ing m Like our work, this approach benefits from advances in SMT technology 
but is generally incomplete (the constraints overapproximate coverability). We 
have shown our symbolic encoding to be (more complex and) more precise: our 
inputs are not generic Petri nets, but systems derived from programs with shared 
state synchronization that imposes partial control flow constraints. Moreover, we 
have shown how to detect spuriousness of solution paths at least in some cases; 
this issue is not addressed in j7]. 
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Appendix 

A Uniqueness of the Initial State 

It is inexpensive to enforce a unique initial thread state without affecting thread 
state reachability, provided the initial thread state set T of the given TTD V 
satisfies the following “box” property: 

V(s, t) G T, (s', t')eT : (s, t') G T, (s', t) G T . (5) 

This holds if T is a singleton. More generally, it holds if all states in T have the 
same shared state, and it holds if all states in T have the same local state. It 
also holds of a set T whose elements form a complete rectangle in the graphical 
representation of V. 

To enforce a unique initial thread state, we build a new TTD V' that is 
identical to V, except that it has a single initial thread state t/ = (s/,Z/) with 
fresh shared and local states sj, li, and the following additional edges: 

(si,li)(s,l) such that (s, l) G T , and (6) 

(s,h) —*■ (s,l) such that (s,l) G T . (7) 

Suppose now some thread state to = (so, la) is reachable in V n , for some n. 
Then there exists a path from some global state (sj|/i,..., l n ) such that (sj, U) G 
T for all i, to a global state with shared component sa and some thread in local 
state Iq. We can attach, to the front of this path, the prefix 

(si\li,... ,li) >-> (Sj\lj_,li,li, ... ,li) 

(sj\h,h,h,...,li) 

> 7 (^jIA ^2; ^3; • • ■ ) In) ) 

with the underlined symbols changed. The new path reaches t 0 in V' n . 

Conversely, suppose some thread state to = (so, la) such that so ^ si, la ^ h 
is reachable in V' n , for some n. Then there exists a path p' from {s/} x {li} n 
to a global state with shared component So and some thread in local state Iq- 
The very first transition of p’ is by some thread executing an edge of type ([b]), 
since those are the only edges leaving the unique initial state (sj,lj). Let that 
be thread number i, and let (s, l) G T be the new state of thread i. 

Consider now an arbitrary thread j G {1,... ,n} \ {z}; its local state after 
the first transition along p' is li. 

— If thread j is never executed along p', we build a new path p" by inserting 
edge (s,h) —► (s,l), executed by thread j, right after the first transition 
in p'. This is a valid edge (of type 0 ) since (s, l) G T. The edge moves 
thread j into an initial thread state (s, l) G T. The modified state sequence 
remains a valid path in V' n since no shared states have been changed, and 
thread j is inactive henceforth. 
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— If thread j is executed along p' , then the first edge it executes must be of type 
([ 7 ]), since again this is the only way to get out of local state lj. Let (s, I) £ T 
be the state of thread j after executing this first edge. Then ( s,lj ) -A (s,l) 
is a valid edge (of type from (. s,l ) £ T and (s,l) £ T, we conclude 
(s, l) £ T, by property ([S]). We now build a new path p", by removing from 
p 1 thread j’s first transition, and instead inserting, right behind the first 
transition of p', a transition where thread j executes edge (s, //) —> (s,l ): 

v' (si,li) —*■ (s,t) , ... , (s, li) 4 (s, F) 

becomes 

p" :: (sj, Zj) 4 (s, t) , (s, h) 4 (s, F) , ... 

(here we add a thread index on top of an edge’s arrow, to indicate the identity 
of the executing thread). The modified state sequence remains a valid path 
in V' n , since the shared states “match” and are not changed by any of the 
removed or inserted edges. Moving the local state change of thread j (from 
li to l) forward leaves the path intact, since the original edge (s, 1/) —» (s, l) 
was thread j’s first activity. 

This procedure is applied to every thread j ^ i, with the result that, after the 
first n transitions, all threads are in a state belonging to T. The suffix of p" 
following these transitions reaches t 0 in V n . □ 


B Proof of Lemma [2] 

Lem. 2 Let bi = 4(1) if Ik = l (path a + ends in local state l), and bi = 4(0) 
otherwise. Then Si(ni) = ni ©&, Si . 

Proof: by induction on the number k of vertices of cr + = t \,..., t^. 

l cr + has no edges, so 4 i n i) = ni, bi =0, and Si = 0. Thus, 
: ©b, 0 = n; ©b, Si. 

Suppose a + = ti ,..., tk +1 has k + l vertices, and Lem. [ 2 ] holds 
for all paths of k vertices. One such path is the suffix t + = t%, ..., tk+i of a + . By 
the induction hypothesis, r +, s summary function 7; satisfies Ti{n{) = ni © C1 7 ; 
for the real edge summary 7 ; along r + , and q = 71(1) if ^fc+i = l ; otherwise 
ci = 71(0). Note that r + and a + have the same final state tk+i = (s/t+i, h+i)- 
We now distinguish what Alg. [ 2 ] does to the first edge ei = (ti, ^ 2 ) = 
((si,Zi), (s 2 ,h)) of cr + (which is traversed last): 

Case 1: ei £ R and l\ = l: Then 4 {nf) = 7/(n;) + l, Si = 7; + l, and bi = c; +1. 
Using the induction hypothesis (IH), we get 4 ( n i) = ni © Ci (Si — 1) + 1. 

— If ni + Si — 1 > ci, then rq © Ci (Si — 1) + 1 = ni + Si = n/ ©b. Si since 
ni + St > ci + 1 = bi. 

- If m + Si - 1 < ci, then m © Ci (Si - 1) + 1 = c; + 1 = 6; = m ©b ; Si since 
ni + Si < ci + 1 = bi. 
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Case 2: e\ £ R and I 2 = Z: This case is analogous to Case 1; for completeness, 
we spell it out. We have Ei(ni) = Ti{ni) — 1, 61 = 7 ; — 1, and bi = Ci — 1. 
Using the IH, we get Ei(ni) = ni © Ci (Si + 1) — 1. 

— If ni + Si + 1 > Ci, then ni © Ci (Si + 1) — 1 = ni + Si = ni ©b, Si since 
ni + 61 > Cl - 1 = bi. 

— If ni + Si + 1 < Ci, then m © Ci (Si + 1) — 1 = c; — 1 = bi = ni ©b, Si since 
ni + Si < ci - 1 = bi. 

Case 3: e\ £ R + \ R and = l: Then Ei(ni) = Ti(n{) © 1 + 1, Si = 7 1 , and 
h—CiQ 1 + 1. Using the IH, we get Ei(m) = ni © Ci Si © 1 + 1. 

— If Ci > 1, then bi = a, so m ffi Ci Si > ci > 1, hence ni © Ci Si © 1 + 1 = 
ni © Ci Si = ni © 6i Si. 

— If ci = 0, then bi = 1. 

• If 7 i; + <5; > 1, then ni® Cl Si ©1 + 1 = n; + ^©l + l = ni+Si = nitB^Si. 

• If ni + Si < 0, then m © Ci Si © 1 + 1 = Ci © 1 + 1 = 1 = n; © 6 , Si- 
Case 4: none of the above. In this case e\ has no impact on the path summary 

generated by Alg.[2j Thus, Ei(m) = Tj(rii); in particular we have bi = ci and 
Si = 7 ;. Further, Ei(ni) = Ti(n{) = © Ci 7 ; = n; © bi S t . □ 


C Proof of Theorem [3] 

Thm. 3 Let superscript ^ denote n function applications. Then, for n > 1, 

Ei^Hni) = Ei(n{) © bi (« - 1) • Si . (8) 

Proof: by induction on n. For k = 1, the right-hand side (rlrs) of ([8]) equals 
Ei(ni) © bi 0 = Ei(m) since Ei(m) + 0 = Ei(m) > bi by Lem.[2j 
Now suppose © holds. For the inductive step we obtain: 

Ei {K+1 \m) = Ei(Ei^(m)) 

( = Ei(Ei(m)® hl (k-1). Si) 

(Le =® ( Ei(m ) ©b, (k- 1 ) - Si) ©b, Si . ( 9 ) 

We now distinguish three cases (( ... ) below contains proof step justifications): 

(1) If Si > 0: 

= ( (k - 1 ) • Si > 0 , Ei(m) > bi, hence Ei(m) + (k - 1 ) ■ Si > bi ) 

(Ei(m) + (k - 1 ) • Si) ©b, Si 

= ( Si > 0 ) 

(Ei(m) + (k - 1 ) • Si) + Si 

Ei(m) + k- Si 
= ( Ei(m) + K-Si>bi) 

Ei (n{) ©b, k- St , 
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the final expression being the rhs of for k replaced by k + 1. 

(2) If Si < 0 and Xi(m) + (k — 1) • Si < bi, then also L)(rq) + k ■ Si < bi, and: 

= ( Yi(m) + (k - 1) • Si < bi ) 

bi ®b, Si 

= ( Si < 0 ) 

bi 

= ( Ei(m) + k ■ Si < bi ) 

mm) ® &! k ■ Si. 

(3) If finally <5; < 0 and £i{m) + (k — 1) • Si > bi , then <§ reduces to 
(. £i{m ) + (k — 1) • Si) ®b ( Si. To get an overview of what we need to prove, let 

X = mm) + (K - l) • 5 t , X ' = mm) , 

Y = 5i , Y' = k-S i. 

Then (the reduced) Q equals X ®b ; Y. and the rhs of ([8| equals X' ®b, Y'. 
Further, observe that X + Y = X' + Y'. This implies that X ® hi Y = X' ® bi Y'. 
which follows immediately by distinguishing whether X + Y > bi or not. The 
equality X ®b ( Y = X' ®b ( Y' is what we needed to prove. □ 


D Making Regular Expressions Alternation-Free 
Lem. 5 Let S and T be regular expressions. Then (S | T)* = (S*T*)* ■ 
Proof: We show a subset relationship in both directions. 


1. LHS C RHS: 


S C S* C S*T* 
T c T* c S*T* 
c S*T* 
c ( S*T*)* 


s\r 
C s\r) 


(properties of *) 

(ditto) 

(by the above two and set theory) 
(monotonicity of *) 


2. RHS C LHS: 


5 

S* 

(, S*T*)* 
(5*7*)* 


C 5 

C (5 
C (5 
C (5 
C(0S| 
C (5 


I r 

ry 

T)* 

ry 

ry 

ry 


(property of |) 

(monotonicity of *) 

(by symmetry) 

(property of *: x £ £* A y £ £* => xy £ £*) 
(monotonicity of *) 

(idempotence of *: (£*)* = £*) 


□ 
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E Recurrences of Conjunctions as Conjunctions of 
Recurrences 

We show that replacing a recurrence of a conjunction by the conjunction of the 
recurrences applied to the individual conjuncts overapproximates. Formally: 

Lem. 6 Let A and B be binary relations. Then ( A n _B)M C A.M (T B^ K \ 

Proof: We first formalize our notion of “recurrence”. Let C be a binary relation. 
The /c-fold recurrence CM is relation C composed with itself n times, i.e. the set 

CM = OtrC = {(ar,j/)|3c 1 ,...,c (e _ 1 :(a: ) c 1 )€C' > (d.cjjeC, ... , 

(c k _2,c k _i) e C, (c K _i, y) e C} . 

From this definition it follows that the recurrence operator M is monotone: 
C\ C C -2 => C[ K) C C^ K) . Therefore: 


AnB C A 

(set theory) 

(dnfi) w c am 

(monotonicity of C)) 

(4nB) w c fiW 

(symmetry) 

(4nB) w c AWnfiW 

(set theory) 


□ 


F Proof of Theorem [I] 

Thm. 4 If, for each quotient path a from ti’s to tF’s SCC, Alg. ^ returns un¬ 
reachable, then tp is unreachable in Poo- 

Proof: we show the contrapositive: if thread state tp is reachable in Voo-, then 
there exists a path a in V from t{ s to tp’s SCC such that, for any regular 
expression encoding £ of a, f\ ieL Path-Summary(£ , l) is satisfiable. If this is 
the case, Alg. [4] does not enter Line [2] Since there is no other opportunity for 
the algorithm to return unreachable along a, the contrapositive is proved. 
Suppose tp is reachable in , say via a path p in V n of the form 

P ■■ ( si\ lp ... , h ) y ^ {sf\1[, ... ,1' v _ 1 ,If, l' y+1 ,. .. ,l' n ) , (10) 

n 

and let (ei,..., e\ p \) £ R' p ' be the sequence of TTD edges executed along p. We 
first construct a path cr + from ti to tF in V + , by processing the e* as follows: 

(1) Edge e\ (which starts in tj) is processed by copying it to cr + . 
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(2) Suppose edge e,_i has been processed, and suppose its target state is (s,Z). 
Edge ef s source state has shared component s as well, since it is executed in 
p from the global state reached after executing e,_i. So let ej’s source state 
be (s, V). 

Edge e* is now processed as follows. If l = l', append e* to a + . Otherwise, 
first append (s,Z) —-> (s,Z') to <r + , then d. Note that (s,Z) —-> ( s,l') is a 
valid expansion edge in R + , since there exist two edges, e^_i and e*, adjacent 
to the expansion edge’s source and target, respectively. 

Step (2) is repeated until all edges have been processed. It is clear by construction 
that a + is a valid path in V + , and that it starts in tj = (sj, Zj). We finally have 
to show that it ends in tp = (sf, If)- It may in fact not: let (sp,lf) be the target 
state of the final edge e\ p \’, If may or may not be equal to If- If it is not, we 
append an edge (sf,Z/) —» ( Sf,If ) to cr + . This is a valid expansion edge by 
Def. [TJ and <j + now ends in tF ■ 

We observe of this construction that a + consists of all TTD edges fired 
along p 1 in that order, plus possibly some expansion edges inserted in between 
or at the end. Let now a be the corresponding quotient path in V (it runs 
from i/’s to tp’s SCC) and £ a regular expression encoding of a. We show 
/\i eL Path-Summary(£, Z) is satisfiable. 

We begin by showing a relationship between formula Path-Summary(£, Z) 
(over regular expressions with loops) and “unwound” expressions. We first for¬ 
malize the concept of expression unwinding. In contrast to a. £ unambiguously 
identifies loops, via its Kleene star subexpressions. Let therefore C\ 
be the loops in £. Given non-negative integers K/,..., K m , the («/,..., K m )- 
unwinding of £ is the sequence of edges over R + obtained by replacing each loop 
say of the form r*, by ’tf ... r,;, with re, occurrences of r,;. By construction, 
the (ki, ..., K m (-unwinding of £ forms a path in V + . 

Lem. 7 Let K \,..., n m £ IN, and r + be £’s («i,..., n m )-unwinding. Let also l 
be a local state, and x = (l = If 7 1 : 0 ). Let finally Ti be path t + 's summary 
function for local state l. Then the following formula is valid: 

7 ~i(x) > 1 => Path-Summary(£1 , Z) if l = li, and 
Ti(x) = 0 => Path-Summary(£,Z) otherwise . 

Proof: Path-Summary(£, Z) and the summary function 71 are computed over 
the same path, except that in the latter, each loop has been unwound Ki 
times. By Thm. [3j the closed-form terms used in Path-Summary(£, Z) for in¬ 
nermost loops yield the same values as the summaries of the unwound paths. 
Non-innermost loops are overapproximated by Path-Summary(£, Z), preserving 
the satisfaction of assignment given by , n m . □ 

By Lem. [t| in order to show that f\ leL Path-Summary(£, Z) is satisfiable, it 
suffices to find € IN such that, for every l £ L , Ti{x) > 1 if Z = Z/, 

and l~i{x) = 0 otherwise, for 71 as in the lemma. To this end, consider path 
c7 + constructed above. Since expression £ captures all paths in V + represented 
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by quotient path <7, the R + sequence er + matches regular expression £. Let 
therefore ..., re m be the numbers of iterations of each Kleene star that witness 
the match. £’s (k±, ..., K m ) -unwinding is exactly the summary function Si of 
path a + . It remains to show that Si t (x) > 1, and Si(x) = 0 for 

We have Si^x) > 1 since backward-traversing the first edge of path p in¬ 
crements counter rq, (the property also holds in the trivial case that p has no 
edges). The claim Si(x) = 0 for l ^ li is more involved; we prove it by general¬ 
ization. Let a + be arbitrarily decomposed into segments p + o 7r + , such that 7r + 
is any suffix of er + , with summary function 77;. Let global path q be the suffix 
of p “corresponding” to 7r + , i.e. the suffix of p starting after all edges of p + have 
fired. We show 


17; (x) < ni(q i), for the initial state q± of q. 


( 11 ) 


Eq. ( 11 ) is sufficient for Si(x) = 0: let n + = a + , hence q = p. Then (11 ) becomes 
Si(x) < ni{pi) with pi = (s/|Z/,... ,Zj). Since l li, we have rq(pi) = 0, so 
Si (x) = 0 follows. 

We now prove IIi(x) < 7q(gi) by induction on the length of tt + . If 7r + is 
empty, then 77; (x) = x (Alg. [2]), and q is empty as well. Hence q\ is the final 
state of p. If l = Ip, then x = 1 and rq(gi) > 1, so 1 = x = IIi(x) < ni(qi). If 
l if If, then x = 0 and the property holds trivially. 

Suppose now (111 holds for the suffix of a + equal to 7r + except for the 
first edge of 7r + . Call this edge e: 7r + = {e} o i5 + . 


— if e is a real edge of er + , then it is fired along q. Doing so increases counter 
ni if e starts in local state l, it decreases ni if e ends in local state l, and 
leaves ni invariant if not adjacent to l. These updates are in agreement with 
what the path summary function 17; does to its integer argument (Alg. [2j 
first two if clauses). Eq. 0 is thus preserved across e. 

— if e = (s,j) > (s. j') is an expansion edge of cr + , then it of course does not 

exist in q and thus does not affect n;. If l if j, summary Si does not change 
either, by Alg. [2j final if clause. 

If l = j, we note that e cannot be the first edge of cr + : by construction, this 
first edge is a real edge. Since it is not the first, e is preceded by a real edge 
e~ = (•, •) —> ( s,j ) of <t + that fired along p. This implies that the first state 
gi of q contains a thread in local state j: rij(qi) > 1. 

Let now Aj be S +, s summary function. Since (5 + and 7r + differ only by 
expansion edge e, by Alg. [2] tells us that IIj(x ) = Aj(x) ©1 + 1, and by 
the induction hypothesis, Aj(x) < rij(qi). If now Aj(x) > 1, then IIj(x) = 
Aj(x ), and IIj{x) < rij(qi) holds. If, however, Aj(x) = 0, then also IIj{x) = 
1 < rij(qi), which concludes the proof. □ 


G Correctness for the Simple-Loop Case 

In the following we show that, if all loops in V + are simple, Alg. [4] is not only 
sound but also complete, i.e. it never returns “unknown”. The latter can hap¬ 
pen in Alg. [4] in two places: in Line [7] which is inside the loop guarded by 
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the condition "£ contains loop nests” and thus unreachable if all loops are sim¬ 
ple — and in Line [12] To show that Line [12] is also unreachable, we prove: if 
the satisfiability check in Line [l] is successful, i.e. /\ ;gL Path-Summary(£, l) is 
satisfiable with assignment K\,..., n q , then Unwind(£, K \,..., n q ) represents a 
feasible execution path. 

Thm. 8 If there exists a path in V from tj’s totp’s SCC with regular expression 
encoding £ such that f\ leL Path-Summary(£, l) is satisfiable, then thread state 
tp is reachable in Voo- 

Proof: Let a and £ be such a path in V and regular expression, and let n \,..., n„ 
be an assignment satisfying /\ leL Path-Summary(£, l). The procedure in Alg. 5 
constructs a path p in Voo that ends in a state containing a thread in tp. Line T 
first unwinds £ into <r + = t \,... ,tk in V +m , note that t\ = ti, tk = tp. Starting 
from global state ( sf\If ) (Line [3]), the procedure now traverses a + backwards. 
Intuitively, each real edge is executed backwards. Each expansion edge is pro¬ 
cessed by adding, to all states currently present in p , a thread in the source local 
state li of the edge if the current first state p\ does not already contain a thread 
in li, denoted ni(pi) = 0 in Line [9] 


Algorithm 5 Constructing a global witness path p in Voo from a path er in V 

Input: path a in V, reg. expr. £, satisfying assignment ki, ..., K q 
1: let a + = ti ,..., tk be the (fti,..., ^-unwinding of £ > (U,U+i) € V + 

2: a := {U,ti+ 1 ) for 1 < i < k , ( Si,U ) := U for 1 < i < k 
3: p := "( s F \l F )" 

4: for i : = k — 1 downto 1 

5: let pi be the current first state along p 

6: if d £ R then t> ei = real edge 

7: let po be the global state obtained by executing e; backwards from pi 

8: add "po >—>" to the front of p 

9: else if ni(pi) = 0 then > a = expansion edge 

10: to every state along the current p, add a thread in local state h 


Formally, the algorithm maintains the following invariant: 

Prop. 9 When edge ei = ((s*, If), (sj+i, ^i+i)) (real or expansion) is processed, 
the first global state p\ along p satisfies p\ >r (si + i|^ + i). 

This property (proved below) ensures that the step in Line [7] is executable. As 
a result, p is, at any time, a valid path in Voo'- when processing a real edge, by 
executing it backwards, Prop. [9] guarantees that the added global transition is 
valid. When processing an expansion edge, by adding a thread in a fixed local 
state to all states currently present in p, we preserve all global transitions in p, 
due to the monotonicity property of and >—>. 

Prop.[9]follows from a simple inductive argument. It holds for i = k — 1, since 
efc_i ends in tk = tp = ( Sf,If ), which is initially the first state of p (Line [3]). 
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Consider processing edge e^. If the previous edge ej+i is a real edge, the property 
holds for e, because ej+i was executed backwards, resulting in a thread in state 
(sj_l_i, Zj+i). If &i -|-i is an expansion edge and Z,; +1 was added to all states along 
p, then it was added to pi, and the property holds for e*. If k+i was not added, 
this is because the then first state pi of p already contains a thread in local 
state k+i, and pi is unchanged. Since Sj+i = Si+2 (e*+i = expansion edge), the 
property holds for e*, too. 

By Line |3j it is clear that p ends in a state covering tp: the last state can 
only be changed by adding threads in certain local states (Line 101, which has 
no bearing on the covering property. It remains to be shown that, when Alg. [5] 
terminates, the first state p\ of p is initial, i.e. of the form (s/|Zj,...,//). 

State pi ’s shared component is sj since a + begins in this shared state. Thus, 
the last real edge processed sets the shared state to sj (if none, we have s/ = sp). 
As for the local states, let l 7^ Z/; we show rq(pi) = 0. Let x be the number of 
threads in local state Z in the last state of p, i.e., x = 1 if l = If, and x = 0 
otherwise. By Lem. [7j Si(x) = 0 => Path-Summary(£, Z). Since the assignment 
Ki,K q satisfies Path-Summ ary (£, Z), we conclude Si(x) = 0. 

We finally show Si(x) = rq(pi), from which ni(pi) = 0 follows as desired. 
We prove this by induction on the number of edges of a + . If a + has no edges, 
then Si{x) = x, which equals ni(p\) by the definition of x and by pi = (sf|Zf)- 
For the inductive step, we distinguish the different ways an edge e* is processed 
in Alg. [5] 


— Processing a real edge e* of a + that starts in local state Z creates a new 
global state po for p with ni(po) = nj(pi) + 1. This is in agreement with 
what the path summary function Si does to its integer argument (Alg. [2]). 

— Analogous reasoning applies to a real edge that ends in local state Z. 

— A real edge not adjacent to local state Z leaves m unchanged, as does Si. 

— Processing an expansion edge e* that starts in local state Z changes the first 
state pi to pi such that n;(p'i) = rq(pi) + l if ni(jp\) = 0, and rq(pi) = rq(pi) 
otherwise. That is exactly the semantics of the operation ©1 + 1 that the 
path summary function applies to its argument in this case (Alg. [2]). 

— Processing an expansion edge e* that does not start in local state Z does not 

affect counter ni. The same is true for Si , by Alg. [2j □ 



